The business case for security strategy and architecture
The business benefits of developing an information security strategy and accompanying security architecture/design include:
- Being proactive, taking the lead in this area - more puppeteer than puppet;
- Designing a framework or structure to support the organisation's unique situation and needs;
- Positioning and guiding the management of information risk and security within other aspect of the organisation's architecture/design e.g. its IT and information architecture (showing information flows, networked systems, databases, services etc.), complementing and supporting various other business strategies and architectures such as cloud first, artificial intelligence, IIoT, big data, new products, new markets ...);
- Providing a blueprint, mapping-out and clarifying the organisational structure, governance arrangements and accountabilities for information risk and security relative to other parts of the business such as IT, physical security, Risk, legal/compliance, HR, operations, business continuity, knowledge management ...;
- Defining a coherent sequence or matrix of strategic initiatives (projects, investments, business and technology changes ...) over the next N years, embedding information risk management ever deeper into the fabric of the organisation and strengthening the information security arrangements in various ways (e.g. systematically phasing-out and replacing aged/deprecated security technologies while researching, piloting and then adopting new ones such as blockchain and post-quantum crypto);
- Driving the development and maturity of the information risk and security management function, covering its priorities, internal structure and external working relationships, governance etc.;
- Bringing clarity and direction (focus!), reducing complexity and uncertainty associated with myriad 'other options' that are discounted or put on hold;
- Seizing opportunities to align and support various departments, processes, systems, partners, projects/initiatives, budgets, plans etc., finding and exploiting points of common interest, avoiding awkward conflicts and gaps;
- Identifying key objectives for information risk and security - important for ISO/IEC 27001 and security metrics;
- Motivating yourself and your colleagues to think beyond the immediate task list, broadening perspectives and extending timescales.
A full-blown multi-year security strategy and architecture can work nicely, particularly in larger, more complex and mature/stable organisations whose senior management appreciates or needs the long-term grand view, the bigger picture - provided they have access to the particular expertise needed to do justice to this topic anyway. Strategy is perhaps the most difficult and risky part of information risk and security, as it is for other aspects of enterprise management.
If you're still not convinced, consider that not preparing a security strategy and some form of security architecture/design may be even riskier and costlier in the long run. Failing to plan is planning to fail. Maintaining a state of 'creative chaos' - meaning a purely reactive event-driven approach - is suboptimal. However, with no clear objectives in mind, it may seem OK to those in the thick of it, far too busy treading water to scan the horizon for land.
Can I throw you a lifeline?
Google! Study hard. There are tools and techniques to help with strategy and architecture, just as there are for information risk and security management. Seek professional help if you need it.
You might for instance start simply by (literally!) sketching out whichever areas of information risk and security management matter most to your organisation, exploring the relationships among them and the obvious links with other areas such as IT and HR. Think about the security processes/activities and systems, paying special attention to the organisation's pain points. Gradually refine and extend the rough sketch into a blueprint encompassing broader aspects such as business objectives and resources ... and pretty soon things magically emerge from the mist.
Now comes a vital step: debate it with your colleagues. Talk it through. Listen carefully to their questions, objections and concerns, pushing back a little by exploring their strategies, architectures and ideas, steadily refining yours. This is a team game. Take your time.
As the vision takes shape, raise the discussion to senior management levels ... and at that point I'll slip quietly away, job done.
Must dash: others adrift, gasping.